Slashdot Mirror
File and Printer Sharing Insecure in XP SP2
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.
Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower?
Cause all I care about is that he is not hammering my webserver with the latest virus.
And when people complain how much a pain Samba can be to set up can now realize at least we're not sharing with the whole world.
Not to be a dick, but Microsoft, wtf?
I thought this was already common knowledge. Grab a copy of any P2P software and spend a few minutes port scanning clients you see in it. I spent an afternoon printing warnings on people's printers, with instructions on how to disable file & print sharing. Its quite an amazing thing to witness. About half of them are wide open, and don't require any password to mount the C drive or print documents. smbclient is a really fun utility. :)
Duuuuh. 2 minutes of searching finds out that it's probably a RPC vulnerability scanner. Search a bit before starting to panic, please.
Link
both here and in the world.
The reason that this was done likely is because SP2 enables the firewall by default. so you don't want people calling asking why their file shares and printer shares don't work.
In addition to that, if it is a local network like that, they have a router in the first place, they are safe.
In addition to that... remember in windows XP unless you CREATE a share it is not going to be there (even though the file and printer sharing may be turned on).
In addition to THAT... winXP by default has guest turned off, so you would have to be an authenticated user to get access.
someone is trying to be sensationalist and not thinking about things.
RoundTop
The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
bw
My printer has a JetDirect ethernet card in it. It's got it's own webserver and can handle the Internet Printing Protocall. You could print to it from across the globe if you knew the IP and it was outside a firewall (or you use a VPN or something).
So what would happen if I just "set it free"? Would anyone notice? Would people start printing spam out of it? Would they try to print Goats.ex stuff?
Anyone ever done this (either on purpose or accidentily)? Anything happen? Just curious. I mean I can understand the appeal of files, but does anyone care about "open" printers?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
I just can't wait to see the **AA go up against M$ over this.
Does this mean that they won't use Microsoft DRM anymore?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
It's concievable that the print server could get rooted. Most of them are powerful to run a telnet session or web server. Instead of firing random printjobs at you, the printer could be turned into a spambot or DDOS node.
I am that AC, and if you RTF post you would realise that I was saying there is NO WAY that this would happen without user intervention. It simply DOES NOT do this. I install and test around 30 XP machines a week, and this has NEVER happened. It's simply not true.
My suspicion is that the "bug" is that while the XP SP2 firewall closes File&Print sharing on public IP addresses, there are several ISPs out there that give internet-connected computers private network (10.x.x.x) IP addresses.
XP's firewall thinks that the machine is on a private network (and thus behind a hardware firewall), and so it allows access through the firewall. Unfortunately, in this case, the ISP screwed up and put the private IP on the internet without protection.
" Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?"
It generates comments, and comments generate ad hits, and ad hits generate revenue. Somebody chimes in and says "That proves it, Microsoft utterly and completely dropped the ball, may they go down in flames!" Slashdot gets money. That's a gross oversimplification of how Slashdot generates revenue, but I have to admit, I'm seriously impressed on how they capitalized on anti-MS FUD.
My point? Well, your beef really isn't with Slashdot. It's with the people commenting in stories like this. Lots of people are competing to get that +5 comment, and a lot of people with mod points out there (not all of them, maybe not even most) mod up the "this is proof that MS is OCP evil!" comments.
I agree with you that the idea of not visiting is interesting. I'm rather sick of odd conclusions being drawn then lauded.
"Derp de derp."
Yes
Depending on the setup there are many ways to get access to the printers.
All google needs is one link.
I've been hit by spam before (shock of all shocks), and did some digging on the foreign computers. Some of them had open printers ready for writing to over SMB. I'd print out a note in english and what I guessed was their language (portugese(sp) in this case) suggesting they get some spyware removal software. heh.
So if this affects a small number of people why on earth the titular is named "File and Printer Sharing Insecure in XP SP2"?
If BMX promote their bikes as "Trustworthy Cycling" with a "Safety Update", that's language which implies that a user doesn't need any 3rd-party stuff to make it secure. It certainly doesn't imply that the most common method of using the bike (on public roads) or PC (directly connected to the internet) is known to be likely to cause major problems, which is the case with MS Windows (so far).
Author, Shell Scripting : Expert Re
Second this. Seriously, people complain about MS running FUD campaigns. Know what? Their complaints are legitimate. That's why a lot of people in the know don't like Microsoft much.
.NET is useful, but implement things like inferred static types with ranges used to help detect buffer overruns. Lots of code (most code being run out there) is in C or C++ and will be for a long time to come. I know you hire a ton of people to MS Research from Carnegie Mellon each year, and I know that there are a ton of good language design people at Carnegie Mellon. Use said people.
The solution is to continue to provide better information than Microsoft does, not to do the same damn thing about some stupid Microsoft service pack (which, FWIW, I'd say is the most security-oriented and Slashdotter-happiness-inducing patch Microsoft has come out with in years, beating many Linux distributions to noexec stack protection). FUD bites people on their own asses.
The Slashdot furor over SP2 is absolutely *absurd*. Security? Consider the fact that 95/98 allowed a remote user to extract and print out users' share passwords remotely from anywhere on the Internet in a few seconds using a Wargames-style algorithm (linear time in length of password), just with a few lines of C code added to smbclient. Consider the fact that Windows NT 4, by default, came with a default account (Administrator) with no password, with all drives shared to that account in "hidden" shares that were only hidden because of a client convention not to display shares, and automatically re-enabled said administrative shares at reboot if a user tried disabling them. File sharing problems? Man, nothing Microsoft can *possibly* do will ever come close to the security blunders of their past. Microsoft is getting better. They've got a long way to go -- they don't have a native sandboxing mechanism (a la chroot jails), they have problems with their GUI-oriented API (see "Shatter" style attacks), they have charming comments in the MSDN API documentation like (extracted from memory from one particularly egregious CAPI call) "This parameter should never be used due to security problems. Some developers may wish to use this parameter to provide compatiblity with Microsoft cryptographic service providers."
Microsoft, you want real credibility, the ability to sell coders that you've got some real things going over Linux? Do the following:
* Provide sandboxing functionality. You just purchased Virtual PC, yes, but I'm talking about OS-level sandboxing, not the slow and less functional hardware-level sandboxing. Let me run IIS in an isolated sandbox, where nothing gets out. Enforce this with the OS, not with application conventions.
* You provide the overwhelmingly dominant compiler for your platform. Yes,
* Do not run your RPC/filesharing/printsharing system by default. It's been the source of God knows how many security problems. Yes, I'm sure that you have lots of long-time Microsofties that are thrilled with it. This isn't 1985 any more, and machines are on networks and often poorly administered. A vanilla box shouldn't have a single packet passing up past the level of the TCP stack. There should be no listening ports in a default Windows install. That means that (a) you don't have to worry about pissing off sysadmins after you blame *them* for not firewalling your broken software that runs out of box and (b) you don't have to worry nearly as much about disasterous, media-worthy waves of worms.
* Start an application-level security certification program for certain basic characteristics -- like being able to install and run an application without having administrative rights.
* You *still* don't use key or cert caching with your SMB/CIFS system. This should be a default. When I connect to a server with openssh on my Linux box, that server's key gets *cached*, and if a man-in-the-middle attack is later attempted, I get a warning that the key has changed and that a man-in-the-middle
May we never see th
I remeber one winter in Montreal. Police officer where walking aside the cars parked on the street, checking that the doors where locked. She ran to them, shouting at them not to lock and close her door. No keys where able to open them anymore.
I've never considered what these officiers where doing could be illegal. But then I'm Canadian, and in Canada we have the Good Samaritan law, which states that you cant be procecuted for trying to help somebody. Personally, I prefer that to a "I'll sue your ass of and then some more" law system.
The same way that if you smell gas coming from a private garage you'd better tell its owner that he might have a fire hazard on its hands, why not tell someone that he has a hacking hasard on their hands?
-ph
We're not just talking about an open door, we're talking about a house with the door wide open and advertisements on the street saying "Come on in, public laser printer inside!". Windows Shares are exactly that -- shares. They are being shared out publically. The fact that Microsoft makes it possible to share things by accident is simply a demonstration of how hideously insecure Windows is. This is WAY beyond the simple flaws that Windows is known for -- those kinds of flaws are understandable and have been shared by other OS's (like certain versions of Redhat Linux, and MacOS more recently).